- Contract uses `.call()`, `.delegatecall()`, `.staticcall()`, or `.send()` for external interactions
.call(), .delegatecall(), .staticcall(), or .send() for external interactionsfunction payout(address to, uint256 amount) external {
// Unchecked return value — silent failure
to.call{value: amount}("");
totalPaid += amount; // Updated even if call failed
}
function interact(address target, bytes calldata data) external {
// Call to non-existent contract "succeeds" silently
// EVM treats call to codeless address as successful
(bool success,) = target.call(data);
require(success); // Passes even if target has no code!
_markComplete();
}
.call(, .send(, .delegatecall(, .staticcall( in the codebasebool is captured AND checked (e.g., require(success))target.code.length > 0 is verified before the call — the EVM silently succeeds on calls to addresses with no codeaddress.code.length check can be bypassed during constructor execution (code size is 0)require(success)IERC20(token).transfer(...)) which include automatic extcodesize checks and revert on failurerequire(success, "call failed")require(target.code.length > 0)function payout(address to, uint256 amount) external {
require(to.code.length > 0 || to == tx.origin, "no code at target");
(bool success,) = to.call{value: amount}("");
require(success, "transfer failed");
totalPaid += amount;
}